OCSP stapling error, certificate not trusted by the web browser

First, really sorry for the multiple threads.

1. My Caddy version (caddy version):

v2.0.0-rc.3

2. How I run Caddy:

a. System environment:

Windows 10 Home 64-bit

b. Command:

caddy reverse-proxy --to 127.0.0.1:8096

c. Service/unit/compose file:


d. My complete Caddyfile or JSON config:

{
	"admin": {
		"disabled": true
	},
	"apps": {
		"http": {
			"servers": {
				"proxy": {
					"listen": [
						":443"
					],
					"routes": [
						{
							"handle": [
								{
									"handler": "reverse_proxy",
									"transport": {
										"protocol": "http"
									},
									"upstreams": [
										{
											"dial": "127.0.0.1:8096"
										}
									]
								}
							],
							"match": [
								{
									"host": [
										"localhost"
									]
								}
							]
						}
					]
				}
			}
		}
	}
}

3. The problem I’m having:

I’m running caddy with admin privileges. When accessing localhost through a web browser, I get the following error in the console:
[WARNING] Stapling OCSP: no OCSP stapling for [localhost]: no OCSP server specified in certificate.

Firefox shows a security warning with the error SEC_ERROR_UNKNOWN_ISSUER

4. Error messages and/or full log output:

Microsoft Windows [version 10.0.18363.778]
(c) 2019 Microsoft Corporation. Tous droits réservés.

C:\WINDOWS\system32>caddy reverse-proxy --to 127.0.0.1:8096
2020/04/24 17:41:32.604 e[33mWARNe[0m   admin   admin endpoint disabled
2020/04/24 17:41:32.606 e[34mINFOe[0m   http    server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS {"server_name": "proxy", "https_port": 443}
2020/04/24 17:41:32.606 e[34mINFOe[0m   http    enabling automatic HTTP->HTTPS redirects        {"server_name": "proxy"}
2020/04/24 17:41:32.629 e[34mINFOe[0m   tls     setting internal issuer for automation policy that has only internal subjects but no issuer configured  {"subjects": ["localhost"]}
2020/04/24 17:41:32.632 e[34mINFOe[0m   tls     cleaned up storage units
2020/04/24 19:41:32 [INFO][cache:0xc000735d10] Started certificate maintenance routine
2020/04/24 17:41:32.654 e[34mINFOe[0m   pki.ca.local    root certificate is already trusted by system   {"path": "storage:pki/authorities/local/root.crt"}
2020/04/24 17:41:32.656 e[34mINFOe[0m   http    enabling automatic TLS certificate management   {"domains": ["localhost"]}
2020/04/24 19:41:32 [WARNING] Stapling OCSP: no OCSP stapling for [localhost]: no OCSP server specified in certificate
2020/04/24 17:41:32.658 e[34mINFOe[0m   autosaved config        {"file": "C:\\Users\\me\\AppData\\Roaming\\Caddy\\autosave.json"}
Caddy 2 proxying from http://localhost:443 to http://127.0.0.1:8096

5. What I already tried:

I’ve tried untrusting / re-trusting the certificate.

6. Links to relevant resources:

There’s two unrelated things happening here:

This is fine, it just means there’s no OCSP server URL in the certificate, which is expected because Caddy itself issued this certificate and there’s no real utility for revocation checking in that case.

So that is a non-issue.

That’s because Caddy can’t install the cert into Firefox on Windows. To be trusted there, you’ll have to install it manually. (It has nothing to do with the OCSP warning.)

Thanks. Does this mean that Firefox doesn’t trust Windows’ CAs ?

Is this installation permanent or do I have to renew the installation if the certificate expires ?

Is Firefox the only problematic browser ?

And is this necessary if I access my local server using its public DNS ?

Correct, Firefox ships with its own trust store.

It’s basically permanent. The root cert is good for 10 years. We should probably make it longer.

As far as I know, the only supported browsers on Windows are those which use the system trust store.

It doesn’t matter.

Thanks.

If I manage to configure Caddy to get a certificate from Let’s Encrypt, I assume Firefox will trust it out of the box ?

Yeah, because Let’s Encrypt is a publicly-trusted CA.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.